6.4.1. Configuring Roles

The recommended way to configure roles and permissions is as follows:

  1. Create a Default role, which revokes all system rights. The simplest way to do it is to create a role of the Denying type. Select the Default role checkbox to automatically assign this role to all new users.

  2. Create a set of roles for granting specific rights to different user categories. There are two strategies for creating such roles:

    • Coarse-grained roles – each role has a permission set for the full range of user responsibilities in the system. For example, Sales Manager, Accountant. Only one role is assigned to each user when using this strategy, excluding the Default role.

    • Fine-grained roles – each role has a small permission set to execute specific functions within the system. For example, Task Creator, References Editor. Each user will then be assigned numerous roles according to their range of responsibilities.

    The strategies can also be combined. Create a set of roles for granting specific rights to different user categories. There are two strategies for creating such roles:

  3. It is possible to leave the system administrator without any assigned roles, in which case, they will have all the rights to all the system objects. Alternatively, a Super type role, overriding any restriction imposed by other roles, can be assigned.

Access to administrative functionality

Below is a quick reference of permissions that should be allowed in a Denying role to provide access to the Administration functionality. For example, if you want to allow nothing but Entity log functionality, set the permissions mentioned in the corresponding section.

It is recommended to provide at least a read-only permissions for the sys$FileDescriptor entity as it is widely used by the platform: emailing, attachments, logging etc.

The permissions described below can be configured in the Role editor on the corresponding tabs: Entity, Screen or Specific.

Moreover, the default access to system entities can be configured using the cuba.defaultPermissionValuesConfig application property.


The User entity may be used as a reference attribute in your data model. To make it visible in lookup fields and drop-down lists, it will be enough to set the permission for the sec$User entity.

In case you want to create and edit the User entity from a Denying role, the following set of permissions is required:

  • Entities: sec$User, sec$Group; (optionally) sec$Role, sec$UserRole, sec$UserSubstitution.

Permission to read the sec$UserSubstitution entity is essential for functioning of the user substitution mechanism.

  • Screens: Users menu item, sec$User.edit, sec$Group.lookup; (optionally) sec$Group.edit, sec$Role.edit, sec$Role.lookup, sec$User.changePassword, sec$User.copySettings, sec$User.newPasswords, sec$User.resetPasswords, sec$UserSubstitution.edit.

Access Groups

Creating and managing the user access groups and security constraints.

  • Entities: sec$Group, sec$Constraint, sec$SessionAttribute, sec$LocalizedConstraintMessage.

  • Screens: Access Groups menu item, sec$Group.lookup, sec$Group.edit, sec$Constraint.edit, sec$SessionAttribute.edit, sec$LocalizedConstraintMessage.edit.

Dynamic Attributes

Access to additional non-persistent entity attributes.

  • Entities: sys$Category, sys$CategoryAttribute, and the required entities of your data model.

  • Screens: Dynamic Attributes menu item, sys$Category.edit, sys$CategoryAttribute.edit, dynamicAttributesConditionEditor, dynamicAttributesConditionFrame.

User Sessions

Viewing the user sessions data.

  • Entities: sec$User, sec$UserSessionEntity.

  • Screens: User Sessions menu item, sessionMessageWindow.


Setting up Pessimistic locking for the entities.

  • Entities: sys$LockInfo, sys$LockDescriptor, and the required entities of your data model.

  • Screens: Locks menu item, sys$LockDescriptor.edit.

External Files

Access to the application File storage.

  • Entities: sys$FileDescriptor.

  • Screens: External Files menu item; (optionally) sys$FileDescriptor.edit.

Scheduled Tasks

Creating and managing scheduled tasks.

  • Entities: sys$ScheduledTask, sys$ScheduledExecution.

  • Screens: Scheduled Tasks menu item, sys$ScheduledExecution.browse, sys$ScheduledTask.edit.

Entity Inspector

Working with any application objects from the screens dynamically generated by the entity inspector.

  • Entities: the required entities of your data model.

  • Screens: Entity Inspector menu item, entityInspector.edit, and the required entities of your data model.

Entity Log

Tracking the entity persistence at the entity listeners level.

  • Entities: sec$EntityLog, sec$User, sec$EntityLogAttr, sec$LoggedAttribute, sec$LoggedEntity, and the required entities of your data model.

  • Screens: Entity Log menu item.

User Session Log

Viewing the historical data on the users' login and logout, or user sessions.

  • Entities: sec$SessionLogEntry.

  • Screens: User Session Log menu item.

Email History

Viewing the emails sent from the application.

  • Entities: sys$SendingMessage, sys$SendingAttachment, sys$FileDescriptor (for attachments).

  • Screens: Email History menu item, sys$SendingMessage.attachments.

Server Log

Viewing and downloading the application log files.

  • Entities: sys$FileDescriptor.

  • Screens: Server Log menu item, serverLogDownloadOptionsDialog.

  • Specific: Download log files.

Screen Profiler

The statistics on the application screens usage and spent time.

  • Entities: sec$User, sys$ScreenProfilerEvent.

  • Screens: Screen Profiler menu item.


Running reports, see Report Generator add-on.

  • Entities: report$Report, report$ReportInputParameter, report$ReportGroup.

  • Screens: report$inputParameters, commonLookup, report$Report.run, report$showChart (if contains chart templates).